Description
This Spring web application is configured to disable the automatic HTML escaping for Spring tags which may lead to Cross-Site Scripting vulnerabilities.
Remediation
It's recommended to enable HTML escaping for Spring tags. This can be configured from web.xml like in the example below:
<web-app> ... <context-param> <param-name>defaultHtmlEscape</param-name> <param-value>true</param-value> </context-param> ... </web-app>At page level, it is defined as a tag-declaration.
<spring:htmlEscape defaultHtmlEscape="true" />
References
Related Vulnerabilities
WordPress Plugin Custom Website Data Cross-Site Scripting (2.2)
WordPress Plugin WP?????? Cross-Site Scripting (1.3.9)
WordPress Plugin Gmedia Photo Gallery Multiple Cross-Site Scripting Vulnerabilities (1.18.4)
WordPress Plugin Better User Shortcodes Multiple Cross-Site Scripting Vulnerabilities (1.0)
WordPress Plugin SEOPress, on-site SEO Cross-Site Scripting (5.0.3)